38
1 Force10 Networks Security 2007 Denver – April 11, 2007 Debbie Montano [email protected] om

Force10 Networks

  • Upload
    dooley

  • View
    45

  • Download
    2

Embed Size (px)

DESCRIPTION

Force10 Networks. Security 2007 Denver – April 11, 2007 Debbie Montano [email protected]. Special Note Regarding Forward Looking Statements. - PowerPoint PPT Presentation

Citation preview

Page 1: Force10 Networks

1

Force10 NetworksSecurity 2007Denver – April 11, 2007

Debbie [email protected]

Page 2: Force10 Networks

2

Special Note Regarding Forward Looking Statements

This presentation contains forward-looking statements that involve substantial risks and uncertainties, including but not limited to, statements relating to goals, plans, objectives and future events.  All statements, other than statements of historical facts, included in this presentation regarding our strategy, future operations, future financial position, future revenues, projected costs, prospects and plans and objectives of management are forward-looking statements.  The words “anticipates,” “believes,” “estimates,” “expects,” “intends,” “may,” “plans,” “projects,” “will,” “would” and similar expressions are intended to identify forward-looking statements, although not all forward-looking statements contain these identifying words.  Examples of such statements include statements relating to products and product features on our roadmap, the timing and commercial availability of such products and features, the performance of such products and product features, statements concerning expectations for our products and product features [and projections of revenue or other financial terms. These statements are based on the current estimates and assumptions of management of Force10 as of the date hereof and are subject to risks, uncertainties, changes in circumstances, assumptions and other factors that may cause the actual results to be materially different from those reflected in our forward looking statements.  We may not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements.  In addition, our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make.  We do not assume any obligation to update any forward-looking statements. Any information contained in our product roadmap is intended to outline our general product direction and it should not be relied on in making purchasing decisions. The information on the roadmap is (i) for information purposes only, (ii) may not be incorporated into any contract and (iii) does not constitute a commitment, promise or legal obligation to deliver any material, code, or functionality.  The development, release and timing of any features or functionality described for our products remains at our sole discretion.

Page 3: Force10 Networks

3

Agenda

University Security Challenges

Force10 and P-Series Overview

Key Technology

Applications

Platform Details and Roadmap

Page 4: Force10 Networks

4

The Challenge of Security University Networks

Highly skilled users (x,000 sys admins)

Firewall policies difficult to match dynamic applications

Diverse desktops plus wireless client that the university cannot easily control

Traditional corporate threats (large scale credit card thefts, DDOS blackmailing, etc.) now faced by Universities

Page 5: Force10 Networks

5

Trends for High Speed Security and Monitoring in Universities

Link speeds increasing faster than edge and campus security systems

Increasing traffic and growing security threats create new requirements– Full security that can protect 100%

of traffic without impacting performance

– Flexibility to ensure more efficient response to unknown or malicious traffic

Page 6: Force10 Networks

6

Securing 10 GbE WANs

“do” the following at 10 Gbps – Deep packet inspection ("visibility")– Attack detection (IDS)– Packet filtering (fire walling)– DoS and DDoS protection traffic

(rate shaping and rate limiting) Much less so...

– VPNs and site to site encryption (most likely IPsec based)

– Bots and other large scale worms/viruses

– Honeypots / Honeynets– Source port verification

Page 7: Force10 Networks

7

Agenda

University Security Challenges

Force10 and P-Series Overview

Key Technology

Applications

Platform Details and Roadmap

Page 8: Force10 Networks

8

Force10 Pioneers in 10 GbE Switching & Routing

Founded in 1999

First to ship line-rate 10 GbE switching & routing

Pioneered new switch/router architecture providing best-in-class resiliency and density, simplifying network topologies

Customer base spans academic/research, data center, enterprise and service provider

Page 9: Force10 Networks

9

Acquisition of P-Series Platform

Force10 pioneered 10 GbE switching and routing

Vision to become the next great networking company

Applying high performance switching and routing innovation to network security

Recommended to us by leading R&E and Gov’t customers

Page 10: Force10 Networks

10

E12001.68 TbpsUp to 1,260 GbE, 224 - 10 GbE

E12001.68 TbpsUp to 1,260 GbE, 224 - 10 GbE

E600900 GbpsUp to 630 GbE, 112 - 10 GbE

E600900 GbpsUp to 630 GbE, 112 - 10 GbE

E300 400 Gbps Up to 288 GbE,48 - 10 GbE

E300 400 Gbps Up to 288 GbE,48 - 10 GbE

Force10 Product PortfolioIndustry Leading Density, Resiliency & Security

1/6 Rack 1/6

Rack

1/2 Rack 1/2

Rack

1/3 Rack 1/3

Rack

Capacity to growfor 10+ years

S5048 GbE2 x 10 GbE

S5048 GbE2 x 10 GbE

1-RU1-RU S2410 24 x 10 GbES2410 24 x 10 GbE

P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS

P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS

S50V48 GbE PoE4 x 10 GbE

S50V48 GbE PoE4 x 10 GbE

S25P 24 GbE4 x 10 GbE

S25P 24 GbE4 x 10 GbE

Page 11: Force10 Networks

11

P-Series Development

Originally funded by NSF grant

Subsequent application fundingby:– USAF (Design of 10 GbE card)– NSA (Surveillance inside IPV6 traffic)

Page 12: Force10 Networks

12

Agenda

University Security Challenges

Force10 and P-Series Overview

Key Technology

Applications

Platform Details and Roadmap

Page 13: Force10 Networks

13

Network Security EvolutionP

erf

orm

an

ce

1995-1999 2000-2005 2006-2008

Custom hardware in an appliance

Dynamic mapping of inspection policies into hardware

Force10 P-Series, line-rate 10 GbE performance

Software based

Central CPU Slow, < 100

Mbps

ASIC assist to central CPU

Better filtering, active protection

GbE up to 2 Gbps

Designed for 20 – 80 Gbps

2007-2010

Custom hardware integrated into modular switches & routers

Full security integration on every port all the time

Designed for 336 – 672

Gbps

Page 14: Force10 Networks

14

Dynamic Parallel Inspection (DPI)Delivering High Speed Network Security

Fundamentally new architecture at the core of the P-Series– DPI delivers the highest deep

packet inspection scalability and flexibility in the industry

– Apply thousands of signatures to every packet in parallel

Open programmability at 10 GbE delivers leading flexibility– Create signatures in hardware to

speed processing

Parallel processing ensures massive rule scalability under all traffic loads

Page 15: Force10 Networks

15

Inside the 10 GE linecard

Page 16: Force10 Networks

16

Open architecture to leverage open source software– More robust, more flexible, promotes composability– Hardware acceleration of important network applications– Abstract hardware as a network interface from OS prospective

Retain high-degree of programmability – Extend to application beyond IDS/IPS– New threat models (around the corner)

Line-speed/low latency to allow integration in production networks– Unanchored payload string search – Support analysis across packets– Gracefully handle state exhaustion

Hardware support for adaptive information management– Detailed reporting when reporting bandwidth is available– Dynamically switch to more compact representations when necessary– Support the insertion of application-specific analysis code in the fast path

1-10 Gbps Programmable Network Security

Page 17: Force10 Networks

17

Agenda

University Security Challenges

Force10 and P-Series Overview

Key Technology

Applications

Platform Details and Roadmap

Page 18: Force10 Networks

18

Firewall IDS/IPS

High Performance (> 330K cps; 20 Gbps) Unique level of programmability

– What is IN and what is OUT?– Two organizations sharing each other’s services– Insider attacks

– Can define stateful policies asymmetrically or symmetrically

– Hardcode part of the policies in hardware– Keep software-like flexibility– Can code specific policies directly into fast-path

Layer-1– Invisible -- 1.5 µs latency– True-line rate (20 Gbps)– Drops in and out with NO L2/3 reconfiguration

Page 19: Force10 Networks

19

10 GbE Inspection and Blocking:Needles & Haystacks

Ability to define "internal" and "external" interfaces:– Custom rules based on

traditional firewall controls (Source, dest., mask, range, protocol, service & port, VLAN)

– Stateful: Allow internal holes to go out, but stop external traffic to come in.

Parallel processing provides rules logic flexibility– Rules can be ordered, summed,

or written with explicit overrides (e.g. whitelisting)

Page 20: Force10 Networks

20

IPS Application

Industry’s first IPS to support line-rate 10 GbE inspection on every packet

SNORT 2.0 rules compiler

Expansion to any rules base:– Govt customers utilizing Bro

– R&E customers utilizing PF firewall rules

– Growing list of SNORT-like variant (ACID, Bleeding Edge, etc.)

Resilient system architecture– Inspection ports are invisible to attackers

– System does not fail under high load conditions

– No active components (CPU, PCI bus) in data path

Used inline, offline, or as pre-filter

MixedMixed

Inspection/captureclean/block

policies

GoodGood

Captured

Captured

TrafficMonitoring

Packet Capture

CustomRules

SignatureDetection

StatefulPacketFirewall

IntrusionProtection

Page 21: Force10 Networks

21

Over 1500 Signatures Supported Sample IDS/IPS Signatures

Layer 3 IP Protocol– Unknown IP Protocol

– RFC1918 address

– Ping Of Death

TCP – Netbios OOB Data

– Windows RPC DCOM Overflow

– Sametime Activity

– Worm Mitigation

UDP– Snork, MP2P Client Scan

IP OPTIONS – BAD IP OPTION

– Record Packet Rte

ICMP – ICMP Echo Rply, ICMP

Unreachable

– ICMP Src Quench

HTTP– HTTP tunneling

– AIM/ICQ Through HTTP Proxy

– MSN Messenger Through HTTP Proxy

– Yahoo Messenger Through HTTP Proxy

DNS– DNS Request All

– DNS SIG Overflow

SMTP– SPAM attacks (SMTP RCPT TO:

Bounce)

– Lotus Notes Mail Loop DoS

FTP– FTP Improper Address, FTP

Improper port

RPC– RPC Dump, Proxied RPC

Page 22: Force10 Networks

22

Campus and WAN Applications forUniversities

WAN Universities are deploying

P-Series in WAN edges and in high speed cores

Key Applications– 1 & 10 GBE IDS/IPS (SNORT,

Bro, or Custom)– 10 GBE Firewalling and Deep

Packet Inspection– High Speed Network Monitoring– Flexible, Customized

Wire-Speed Packet Analysis Campus Core

Page 23: Force10 Networks

23

University Innovators

Univ. of Nebraska’s PKI Institute:– In conjunction with Dept of Homeland

Security, runs security research lab– Uses P10 inline to accelerate SNORT for

high speed core

Oxford University:– “Argus” research group

(www.robots.ox.ac.uk/~argus/ )– Customized packet analysis for

high speed networks

University of Cal., Santa Cruz– 1 Gigabit inspection for WAN edge– Facing WAN edge inline,

filters “hay” from needles– Presentation of UCSD High Speed IDS at:

http://www.nanog.org/mtg-0501/tatarsky.html

Page 24: Force10 Networks

24

High Performance Surveillance

Technically a “hard problem” – high performance inspection with open programmatic flexibility to dynamic, fast-changing requirements of Lawful Intercept

Key system design goals– Predictable– Provable - Legal– Responsive (low latency)– Simplicity / reliability– Secure (access and capture)– Packet/frame/IPv agnostic– Ideally, as few boxes as possible

Page 25: Force10 Networks

25

Surveillance Application

Technical features for lawful intercept include:– Stateful rules– Line-rate capture performance; No packet loss under full

load– Packet hardware-based time stamping– Exact search and match strings in known and “unanchored”

search criteria across IPv4 and v6– No extra packet buffering or “contaminants”– Gracefully handle state exhaustion– Scaling to 1000 (16 byte) on-the-fly dynamic searches– Secure, remote box management via SSH

E600 or E1200POP

Storage Servers

InternetP-Series P1 or P10

Page 26: Force10 Networks

26

Configuration + Reporting

Compile policies off-line– Makefile (open Unix CLI environment)– Add user code in Fast-path

Add Permit and Deny on the fly– Immediate action

Run any pcap application on interface– Use Snort’s output plugins syslog, email, packet archive

MIB-II Host/Interface Monitoring– Disk, Daemons, SNMP traps

Page 27: Force10 Networks

27

Agenda

University Security Challenges

Force10 and P-Series Overview

Key Technology

Applications

Platform Details and Roadmap

Page 28: Force10 Networks

28

Available Today

P10 PCI-X Card (10 GbE interface)– High speed PCI card in 1U

chassis– Wire-speed stateful deep packet

inspection; 20G-in/20G-out– 2 x 1 GbE mirror ports– 8000 static rule capacity 600

dynamic rules; – 8 million concurrent flows

P1 PCI Card (GbE interface)– High speed PCI card in 1U

chassis– Wire-speed stateful deep packet

inspection; 2G-in/2G-out– 1000 static rule capacity; up to

200 dynamic; (currently being increased);

– 2 million concurrent flows– Line-rate IPv6

P1/P10 Appliance– 1U host embeds a P1 or P10 PCI

card– Software and drivers pre-installed

and pre-configured

Page 29: Force10 Networks

29

Deployment Models

Sensing & Mirroring port

Sensing & Mirroring port

Logging port or PCI interface

Sensing port

Logging port or PCI interface

Sensing port

Logging port or PCI interface

Inline Operation Block unwanted traffic Capture interesting flows Good traffic passes thru Two sensing ports (full

duplex) + two mirroring ports

Passive Operation Capture interesting flows Up to two sensing

ports

Page 30: Force10 Networks

30

High Availability

No power– Stateful In-line No packet loss; No

loss of connection state– Traditional rerouting L2/L3

convergence time; loss of state

Reporting

By

pa

ss

ReportingB

yp

as

s

Based on external bypass units

All state maintained by active-active P10s

Page 31: Force10 Networks

31

Power Failure

No power– Stateful In-line No packet loss; No

loss of connection state– Traditional rerouting L2/L3

convergence time; loss of state

CPU

Reporting

CPU

ReportingB

ypassB

ypass

Page 32: Force10 Networks

32

OS Upgrade

Soft reboot, OS reconfiguration, change OS– Forwarding + policies are unaffected; no loss of connection

state– Once upgrade is over OS reattaches to forwarding path

CPU

Reporting

CPU

ReportingB

ypassB

ypass

Page 33: Force10 Networks

33

Policy update

Fast-path reconfiguration (new policies are added/deleted)– Loading new static policies open for < 1s; loss of

connection state– Loading dynamic policies No loss of state

CPU

Reporting

CPU

ReportingB

ypassB

ypass

Page 34: Force10 Networks

34

Always line-rate– Unanchored payload string search – Support analysis across packets– Gracefully handle state exhaustion

Retain high-degree of programmability – Architecture gaurantees determinism– New threat models (around the corner)

Open architecture to leverage open source software– More robust, more flexible, promotes composability– Abstract hardware as a network interface from OS prospective– Future proofing to extend to application beyond IDS/IPS

Summary of Differentiation

Page 35: Force10 Networks

35

P-Series Delivers Industry’s Highest Performance and Lowest Price Per Gbps

Price Per Gbps Throughput

$0

$10,000

$20,000

$30,000

$40,000

$50,000

$60,000

Force10 TippingPoint

McAfee Cisco Juniper

Throughput

% L

ine

-Ra

te T

hro

ug

hp

ut

wit

h 1

00

%

Ru

les

100

80

60

40

20

0

1 Gb 2 Gb 4 Gb 6 Gb 8 Gb 10 Gb 20 Gb

Traffic Throughput

Force10 P-Series

Traditional IPS

Performance Throughput

Page 36: Force10 Networks

36

Competitive Analysis Summary

Force10 Cisco Juniper Endace Bivio

Interface Options 2 x 10 GbE2 to 5 10/100/1000

2 to 6 10/100/1000

NIC or App. 4 x 1 GbE2 x 10 GbE

12x GE6x GE Fiber2 x 10GE

Interface Speed Line-rate 10 GbE 1 GbE OS 1 GbE OS 10 GbE OS 10 GBE OS

Total Throughput: 20 Gbps 800 Mps 1 Gps 5 Gbps 10 Gbps

Latency ~16 us 750 us 100 us 100 us 215 us

Rule Flexibility Open; Snort Proprietary Proprietary Capture-only Proprietary

TCP 2-8,000,000 1,00000 800,000 800,000 2,000,000

Price Range $130,000 $40,000 $57,000 $120,000 $200,000

Signatures: 8000 1,700 3200 1,400 3,000

Placement Inline/Offline Inline/Offline Inline/Offline Offline Inline/Offline

Page 37: Force10 Networks

37

P-Series PTSP Roadmap

2.1

May 31, 2007

2.2 July

31, 2007

Hard

ware

P10–8000 signatures–2 x 1 GbE Mirror ports

So

ftware

Session Scaling to 8M

Blocking During Boot

Field Upgradeable FPGAs

PCI-X Core

Stateful temporary packet capture

API

Linux driver support

Dynamic content rules

2 + 2 Mirroring

Management UI

Rules Counter

Line-rate stateful firewall

IPv6

Packet re-write

Black: Committed FeatureRed: Targeted FeatureBlue: Feature on Our Radar

Page 38: Force10 Networks

38

Debbie Montano

[email protected]

Director of Research & Education Alliances